From 0ceb7fea687646c8ad13d7827e7d495b2636edad Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Mon, 4 May 2026 14:25:28 +0200 Subject: [PATCH] fix(ci): pass --no-sandbox to Chrome in Lighthouse CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Chrome's user-namespace sandbox is unusable inside the act runner container — the host kernel's AppArmor profile (Ubuntu 23.10+) blocks unprivileged user namespaces, so Chrome aborts at the zygote stage with `No usable sandbox`. Lighthouse never connects to the browser and the perf gate fails. `--no-sandbox` is the standard workaround documented by Lighthouse, Puppeteer, and Playwright for containerised CI. The residual risk is acceptable: the browser only loads our own freshly built bundle from http://localhost:4200/ inside an ephemeral self-hosted runner — no untrusted content reaches the renderer. --- lighthouserc.js | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lighthouserc.js b/lighthouserc.js index 9d44732..d8a2575 100644 --- a/lighthouserc.js +++ b/lighthouserc.js @@ -23,6 +23,16 @@ module.exports = { // Slow-4G profile so scores are stable across CI runners and // comparable to industry public benchmarks. preset: 'desktop', + // Chrome's user-namespace sandbox is disabled inside the act + // runner container (AppArmor restriction on the host kernel), + // so Chrome fails to launch with a "No usable sandbox" zygote + // error. `--no-sandbox` is the standard Lighthouse / Puppeteer + // / Playwright workaround for containerised CI: the residual + // risk is acceptable because Chrome only loads our own freshly + // built bundle from http://localhost:4200/ inside an ephemeral + // self-hosted runner container — no untrusted content reaches + // the browser process. + chromeFlags: '--no-sandbox', }, }, assert: {